PHP Version Roundup

Last year, Anthony Ferrara posted an excellent round up of PHP versions in the wild, specifically focusing on the volume of un-patched versions running production websites. Even as an estimate it was an eyeopening moment for many people.

12 months on I’ve reproduced this report focusing on:

patch version fragmentation

% change in install numbers

% of installations running an insecure or out of date PHP version.

Introduction

Methodology

Matching Anthony’s approach, data is taken from w3techs.com. No raw figures are published publicly, but percentages of usage are taken from roughly the top 10 million sites on the web as listed by Alexa.com. The full details on report data is available from their FAQ but suffice to say I’m happy that its a good estimate of adoption.

What is ‘secure’

As with Anthony’s report last year, I class a version as ‘secure’ if it is:

Supported by PHP officially (i.e. the latest secure patch)

Supported by a popular, stable linux distribution

For this report (and matching last years included distributions) I’ve not included Windows binaries.

The operating systems and versions included are:

Maintainer

OS/distro version

PHP Version

Ubuntu

15.10

5.6.11

Ubuntu

15.04

5.6.4

Ubuntu

14.04

5.5.9

Ubuntu

12.04

5.3.10

Debian

8

5.6.14

Debian

7

5.4.45

Debian

6

5.3.3

Debian

(LTS) 6

5.3.3*

CentOS

7

5.4.16

CentOS

6.7

5.3.3

CentOS

5.11

5.1.6

PHP

7.0.0

7.0.0

PHP

5.6.16

5.6.16

PHP

5.5.30

5.5.30

Fedora

22

5.6.16

Fedora

23

5.6.16

It’s also worth noting that Zend offer commercial Long Term Support for PHP versions beyond the standard EOL. For example they’ll officially support 5.3 (unspecified patch version) until February 2017.
For the purposes of this report, Zend’s commercial support is not included in the list of secure releases.

* Debian 6 LTS package repository lists 5.3.3.1 as the PHP version

Data & Tables

The report is grouped into each minor release of PHP (e.g. 5.4).

For each patch version I’ve listed the patch release, the % of installs and the % that are secure.

% of installs is the % of overall PHP installs

% secure is the % of overall PHP installs that is considered secure. i.e. 0% if its insecure.

There is also a summary of the minor version including:

% of php versions is the total adoption of the minor version compared with the overall PHP install list.

% of which were secure is the % of patches within that minor version that are considered secure.

% secure of overall installs which is the % of minor versions that were secure compared with the overall PHP install list.

For example according to last years figures:
> In 2014, PHP 5.6.x was 0.4% of all PHP versions; only 6.7% of all 5.6.x installations were secure; meaning 0.03% to the overall list of secure installations were a 5.6.x version.

Graphs

For each minor version I’ve provided two graphs. The first shows the fragmentation breakdown of patch versions across the whole release (e.g. 5.6.0 right through to 5.6.16). Those shaded in green are considered ‘secure’ and those greyed out are considered ‘insecure’.

I’ve also provided a chart showing the breakdown of the secure versions. This was predominantly for personal interest to see which secure patch releases were popular and potentially whether or not that indicates popularity of a particular OS/version etc.

Attributions

Before I dive into the numbers I want to briefly thank Anthony Ferrara for his work last year and for sanity checking my analysis this year, and Davey Shafik for reminding me of Zend’s commercial version support. A very big thank you to Wil Brown and Katie McLaughlin for helping review my numbers and graphs. Katie I promise I’ll do nicer graphs next time!
Edit: Thank you Ben Dechrai for sprucing up my twitter infographic!

PHP 5.6

Diving straight into the stats, I’ve summarised each patch release against the % of overall PHP installs, and the % of which are classed as secure.

Version

% of installs

% secure

5.6.16

0.08%

0.08%

5.6.15

1.04%

0.00%

5.6.14

1.12%

1.12%

5.6.13

0.86%

0.00%

5.6.12

0.23%

0.00%

5.6.11

0.18%

0.18%

5.6.10

0.14%

0.00%

5.6.9

0.18%

0.00%

5.6.8

0.12%

0.00%

5.6.7

0.11%

0.00%

5.6.6

0.08%

0.00%

5.6.5

0.11%

0.00%

5.6.4

0.06%

0.06%

5.6.3

0.06%

0.00%

5.6.2

0.12%

0.00%

5.6.1

0.04%

0.00%

5.6.0

0.14%

0.00%

PHP 5.6 is still a small portion of the overall install base at just 4.7%. It has however seen over 10 fold increase in adoption from last year which is fantastic! Interestingly however there are substantially more of these installs that are ‘secure’, jumping from 0.3% last year to 1.45% this year, luckily though it hasn’t matched the popularity increase which suggests developers are upgrading to secure versions and maintaining them (go team!)

I also found it curious that the majority of the secure installs were running 5.6.14 instead of the latest PHP official 5.6.16 release. The only linux distribution to officially support 5.6.14 is Debian Jessie (released April 2015) which suggests Jessie may be the OS of choice when it comes to upgrades.

PHP 5.6 Summary

Year

% of php versions

% of which were secure

% secure of overall installs

2014

0.4%

6.7%

0.03%

2015

4.7%

30.8%

1.45%

PHP 5.5

Last year PHP 5.5 was a little sad with 6% adoption, 36.6% of which were considered secure.

This year its still particularly sad, albeit marginally better from the secure standpoint with a jump from 36.6% to 56.2% of all patch versions at a secure release.

Version

% of installs

% secure

5.5.30

3.97%

3.97%

5.5.29

1.20%

0.00%

5.5.28

0.61%

0.00%

5.5.27

0.44%

0.00%

5.5.26

0.61%

0.00%

5.5.25

0.37%

0.00%

5.5.24

0.30%

0.00%

5.5.23

0.24%

0.00%

5.5.22

0.43%

0.00%

5.5.21

0.34%

0.00%

5.5.20

0.18%

0.00%

5.5.19

0.18%

0.00%

5.5.18

0.16%

0.00%

5.5.17

0.13%

0.00%

5.5.16

0.12%

0.00%

5.5.15

0.12%

0.00%

5.5.14

0.15%

0.00%

5.5.13

0.06%

0.00%

5.5.12

0.22%

0.00%

5.5.11

0.15%

0.00%

5.5.10

0.06%

0.00%

5.5.9

4.35%

4.35%

5.5.8

0.04%

0.00%

5.5.7

0.07%

0.00%

5.5.6

0.03%

0.00%

5.5.5

0.03%

0.00%

5.5.4

0.03%

0.00%

5.5.3

0.15%

0.00%

5.5.2

0.00%

0.00%

5.5.1

0.03%

0.00%

5.5.0

0.03%

0.00%

PHP 5.5 is as one would expect slightly more fragmented between patch versions, purely because there’s been more of them and people don’t upgrade.

This graph shows just how fragmented the releases are - it’s almost as bad as Android devices! Remembering that the green shading indicates a patch release that is considered secure.

What is perhaps not so surprising is the breakdown of secure versions - only 5.5.30 and 5.5.9 are supported (and 5.5.9 is due to Ubuntu 14.04.LTS so we’ll see this one around for a while). As for 5.5.30 it wouldn’t surprise me if the performance improvements in 5.5 prompted developers to push for 3rd party supported package repositories which were kept patched and up to date. This of course, is pure speculation.

Despite PHP 5.5 already entering the security phase of its EOL we’re still seeing a substantial increase in its adoption, over double that as measured in 2014; from 6% to 14.8% in 12 months.

PHP 5.5 Summary

Year

% of php versions

% of which were secure

% secure of overall installs

2014

6%

36%

2.19%

2015

14.8%

56.2%

8.32%

PHP 5.4

PHP 5.4 has the most patch releases in the 5.x series with 45 point releases before EOL and old age set in.

Version

% of installs

% secure

5.4.45

8.87%

8.87%

5.4.44

1.51%

0.00%

5.4.43

3.11%

0.00%

5.4.42

1.36%

0.00%

5.4.41

1.54%

0.00%

5.4.40

0.92%

0.00%

5.4.39

1.29%

0.00%

5.4.38

0.80%

0.00%

5.4.37

0.80%

0.00%

5.4.36

1.23%

0.00%

5.4.35

0.80%

0.00%

5.4.34

0.68%

0.00%

5.4.33

0.68%

0.00%

5.4.32

0.46%

0.00%

5.4.31

0.34%

0.00%

5.4.30

0.65%

0.00%

5.4.29

0.34%

0.00%

5.4.28

0.40%

0.00%

5.4.27

0.52%

0.00%

5.4.26

0.34%

0.00%

5.4.25

0.22%

0.00%

5.4.24

0.40%

0.00%

5.4.23

0.22%

0.00%

5.4.22

0.15%

0.00%

5.4.21

0.15%

0.00%

5.4.20

0.15%

0.00%

5.4.19

0.12%

0.00%

5.4.18

0.03%

0.00%

5.4.17

0.15%

0.00%

5.4.16

1.02%

1.02%

5.4.15

0.06%

0.00%

5.4.14

0.12%

0.00%

5.4.13

0.06%

0.00%

5.4.12

0.03%

0.00%

5.4.11

0.06%

0.00%

5.4.10

0.03%

0.00%

5.4.9

0.12%

0.00%

5.4.8

0.03%

0.00%

5.4.7

0.06%

0.00%

5.4.6

0.12%

0.00%

5.4.5

0.03%

0.00%

5.4.4

0.80%

0.00%

5.4.3

0.03%

0.00%

5.4.2

0.00%

0.00%

5.4.1

0.00%

0.00%

5.4.0

0.03%

0.00%

Firstly its worth highlighting the consistent fragmentation across patch releases.

Interestingly enough, 5.4.45 is probably so popular since its the officially supported version of Debian 7, attributing to 28.8% of the overall 5.4 install base.

There are only two secure releases of 5.4, one (5.4.45) is supported by Debian 7 while 5.4.16 is supported by CentOS 7. It’s worth recognising that CentOS follows RHEL package support hence it is a very strong driver for version selection and support.

There’s some good and some bad with these stats. We’ve seen a jump from 26.4% to 30.8% in adoption of the 5.4 series but more importantly the number of secure installs has jumped from 10.6% to 32.1%. It would seem that as with the 5.5 and 5.6 releases, developers increasingly upgrading to 5.4 are upgrading to and maintaining a secure version.

It’s not a comforting raw percentage, but it is good to see the rate of secure installs increase!

Congrats PHP folks, you’re (slowly) learning to patch your sh*t! Yay!

PHP 5.4 Summary

Year

% of php versions

% of which were secure

% secure of overall installs

2014

26.4%

10.6%

2.80%

2015

30.8%

32.1%

9.89%

PHP 5.3

Released in June 2009 PHP 5.3 just WON’T DIE!. Thats 6.5 years and its still kicking along with official support from Debian 6 and Ubuntu 12.04.

Version

% of installs

% secure

5.3.30

0.00%

0.00%

5.3.29

13.39%

0.00%

5.3.28

3.28%

0.00%

5.3.27

1.36%

0.00%

5.3.26

0.64%

0.00%

5.3.25

0.21%

0.00%

5.3.24

0.21%

0.00%

5.3.23

0.39%

0.00%

5.3.22

0.14%

0.00%

5.3.21

0.18%

0.00%

5.3.20

0.14%

0.00%

5.3.19

0.21%

0.00%

5.3.18

0.21%

0.00%

5.3.17

0.25%

0.00%

5.3.16

0.11%

0.00%

5.3.15

0.25%

0.00%

5.3.14

0.18%

0.00%

5.3.13

0.71%

0.00%

5.3.12

0.00%

0.00%

5.3.11

0.00%

0.00%

5.3.10

2.96%

2.96%

5.3.9

0.11%

0.00%

5.3.8

0.46%

0.00%

5.3.7

0.00%

0.00%

5.3.6

0.36%

0.00%

5.3.5

0.21%

0.00%

5.3.4

0.04%

0.00%

5.3.3

8.85%

8.85%

5.3.2

0.68%

0.00%

5.3.1

0.04%

0.00%

5.3.0

0.04%

0.00%

There’s not too much to highlight here, other than a lot of people aren’t patching, and the few that are probably are sitting on an LTS release from Debian or Ubuntu.

My personal curiosity sees that 5.3.3 is both a Debian 7 and CentOS 6.7 supported release. Since we assume a secure patch version indicates a stock/supported OS, this indicates that Debian 7 and Centos 6.7 share a combined ~75% market share for this audience. Given they’re running 5.3.x I’d suggest they’re the market share of users not interested in new shiny features or performance ;) I haven’t analysed further which OS is more popular.

It’s also worth putting this in context because PHP 5.4+ broke a lot of things including the removal of call time pass-by-reference, magic quotes and register_globals. For projects with a substantially old enough code history it’s likely that dependance on the deprecated language features and settings could be a core blocker of upgrading rather than a disinterest in the lure of features, performance and security.

PHP 5.3 Summary

Simply put, PHP 5.3 has declined in use over the past 12 months (as it should) but the portion of insecure installs remains roughly the same.

Year

% of php versions

% of which were secure

% secure of overall installs

2014

45.9%

33.9%

15.56%

2015

35.7%

33.1%

11.82%

Other Versions

PHP 5.2 and 5.1 still have a somewhat noteworthy install base however luckily 5.0 has < 0.1% of all installs so I happily ignore 5.0. Sadly though 4.x still has a 1.3% install base across all PHP sites; fellow coders 4.x was deprecated in 2007 with security patches until August 2008 (thats more or less 8 years ago)!

PHP 5.2 Summary

PHP 5.2 has no actively supported versions by any distribution and yet it accounts for 13.1% of overall PHP installations - a slightly alarming statistic!

Year

% of php versions

% of which were secure

% secure of overall installs

2014

20.10%

0%

0%

2015

13.1%

0%

0%

PHP 5.1 summary

PHP 5.1 is only actively supported by CentOS 5.11 with an EOL of March 2017. That’s right. You can expect 5.1 to remain in production in another years time AND still be supported!

Year

% of php versions

% of which were secure

% secure of overall installs

2014

1.2%

94.80%

1.14%

2015

0.9%

95.2%

0.86%

What does this mean?

Ok so there’s a lot of stats above, and even my head hurts trying to digest them. What does all this mean to developers?

Firstly the overall version adoption is an important factor to the support roadmap of frameworks and libraries. With the release of 7.0 there’s also an ongoing discussion in internals as to what the PHP 5.6 support lifecycle will be (and hence when its EOL is to be expected).

Overall version adoption

Particularly exciting is that 5.6, 5.5 and 5.4 are all substantially more popular this year than last year. With the reduced usage of 5.3 it seems developers have been upgrading a substantial number of their applications over the last 12 months.

% of each version that is secure

We can see that the increased adoption of 5.4, 5.5 and 5.6 is also resulting in a migration to secure versions! So not only are people upgrading but they’re upgrading securely. Note however that these are percentages of the minor version, so whilst PHP 7 may show 90%, its 90% of only 0.1% of all PHP installs.

It’s also crucial we appreciate the ‘gaps’ here. Whilst 5.6 might look like its had an impressive % secure adoption, its evident that nearly 70% of installs are unpatched and insecure.

So what does this mean overall? Enter graph three!

% of overall secure installs

This is the real endgame of my analysis. Last year it was evident that most secure installs were 5.3. What’s exciting this year is that 5.5 and 5.4 are contributing much more to the overall % (so sites who are secure are also more likely to be on a recent release).

It’s also exciting that this year we’re seeing an estimated 32.42% of PHP installs being assumed secure. Considering last year was 21.73% thats a 49.19% increase in secure installs.

Emphasis on increase of course… we’re still looking at two thirds of PHP in the wild being assumed insecure.

So PHP, well done on the secure improvements! Now lets make 2016 the upgrade year and remember to ‘Patch Yo Sh*t!’